The End of Passwords?
One of the great annoyances of the Internet is slowly going away.
WSJ (“Technology Alliance Says It Is Closer to Killing Off Passwords“):
A group of technology companies including Apple Inc., Alphabet Inc.’s Google and Microsoft Corp. says it is a step closer to eliminating what many people call one of the worst aspects of the internet experience: passwords.
The Fast Identity Online Alliance has for nearly a decade worked on a system that lets users log into their online accounts simply by using the unlock mechanisms of their smartphones or computers. Rather than sending a password over a network susceptible to outside interference, users connect a public “key,” which sits on the account service provider’s server, to a private one, which cannot be removed from their device.
Previous versions of the group’s system still required people on new devices to enter passwords for each account before they could go password-free. Now, it says it has found a way to let users log into online accounts with their faces, fingerprints and PIN codes straightaway, even on brand-new devices.
The update “means that users don’t need passwords anymore,” said a white paper by the alliance, called FIDO for short. “As they move from device to device, their FIDO credentials are already there, ready to be used.”
The alliance, which represents more than 250 members, has been trying to reduce reliance on passwords since 2013, when six companies including PayPal Holdings Inc. and Lenovo Group Ltd. came together to develop a new, safer industry standard for online authentication.
Passwords create not just friction on the information superhighway, critics have long complained, but real frustration and even abandoned accounts when consumers forget their secret codes. They also still leave users, businesses and other organizations vulnerable to hackers and other bad actors.
Security solutions such as two-factor authentication, in which users typically supplement passwords with push notifications or codes sent by apps or texts, bring their own drawbacks. Plenty of people seem uninclined to opt in.
“Even though we know in 2022 that passwords are inherently insecure and creating lots of problems, getting people to actually secure them is still a challenge,” said Merritt Maxim, vice president and research director at research firm Forrester Research Inc., where he specializes in security and risk.
Passwords are “the cockroaches of the internet,” Mr. Maxim said—irritating, hardy and worth taking the time to kill.
But a completely passwordless world is still far off, said Forrester’s Mr. Maxim. FIDO’s vision mostly relies upon account holders having their own connected devices, which is not true for all users globally, he said. And while the system does not share users’ biometric data with account service providers, some privacy-minded users may hesitate to use their faces and fingerprints to unlock everything, he said.
The alliance tested which language, icons and information makes people feel most comfortable with switching on FIDO, said Andrew Shikiar, the group’s executive director and chief marketing officer.
“People need to adjust from doing what they know—just entering passwords—to doing something that they know how to do, but don’t really connect with logging in,” Mr. Shikiar said.
I’ve been using a commercial password manager for years but the process remains far from seamless and having to constantly log in on multiple devices for things that I’m paying for is certainly annoying.
If, for example, I want to read a WSJ or WaPo article on my phone and do so from their respective apps, it’s seldom an issue. If, however, I follow a link from, say, Google News to one of their stories, I frequently have to go through the machinations of logging in.
And, for reasons I’ve never figured out, the Disney bundle (Disney+, Hulu, and ESPN+) is incredibly poorly integrated. We happily pay the subscription price but the logins frequently need to be re-entered and reset. Inexplicably, while I can get ESPN premium video streaming pretty easily from any device, I’ve never been able to get the premium text context on my laptop and am only able to do so roughly 70 percent of the time via my iPhone. There’s simply no reason it should be that difficult.
Meanwhile, despite Randall Munroe’s password strength generator becoming a meme more than a decade ago,
the trend described in the cartoon has actually increased. I have several seldom-used but critical work-related sites that I have to log into once or twice a year that require creating a new, incredibly complicated, password every three months—thus, every time I use it—that require me to type insanely long text with multiple changes in the shift key blind and then duplicate it.
And, amusingly, my WordPress instance logged out just as I typed that last paragraph, requiring me to log back in. Thankfully, the password for that is saved, requiring little effort.